The CVE program was started over 25 years ago. It is very reputable (until yesterday) and it was very much in the interest of the US to be seen as the stewards of this.
The funding requirements can't be that high and I'm willing to bet that other countries and entities would have happily stepped up if they had the chance.
Up until recently CVE was very centralized and only in the last few years have there been steps in more decentralization with CNAs taking more responsibility, Red Hat as a CNA of last-resort etc.
So, the cost of doing all of this work has already been shifted partially (!) away from the US but I have not seen any movement towards e.g. moving the program to a foundation which could have been done.
Personally I would conclude that it was the responsibility of the US to pay for this because they wanted to and it was in their best interest to control this program.
They have the chance to step up now. Every Comercial company that is supposedly so reliant on this for their very existence has the opportunity today. They can fund it.
What commercial company is going to "fund" this? It's such a strange idea, disconnected from the real world. You may as well say "companies can start doing road maintenance, as they are so reliant on them for their very existence."
And perhaps if there had been more than a days notice, some consortium could be pulled together, but who's going to pay? Why would private companies do this, how do they profit? CVE program was the roads that everybody could drive on.
The basic lack of understanding of how the world works is killing the US. Why do people think we have such a massive GDP? Where do people think that comes from? We've given control of everything in society over to our dumbest and greediest members that have no clue about how anything works.
The EU. They can have all the massive advantages that funding MITRE will give them. Why won't they step up to the plate? It's killing the EU and they have absolutely no idea how anything works. It's why they're a dying empire.
I will bet money that removing the cap from a bottle will be a hate crime in Europe before they start funding a institution like MITRE that actually functions.
I mention this in another comment. The infrastructure for an alternative is already partially in place.
In my opinion it's mostly the industry needing to adapt to a new setup that needs to happen. It was just "easy" to rely on what's already there. A lot of company policies need to be adapted etc.
The funding requirements can't be that high and I'm willing to bet that other countries and entities would have happily stepped up if they had the chance.
Up until recently CVE was very centralized and only in the last few years have there been steps in more decentralization with CNAs taking more responsibility, Red Hat as a CNA of last-resort etc. So, the cost of doing all of this work has already been shifted partially (!) away from the US but I have not seen any movement towards e.g. moving the program to a foundation which could have been done.
Personally I would conclude that it was the responsibility of the US to pay for this because they wanted to and it was in their best interest to control this program.